5 Answers
5

Passwords on a linux system are not encrypted, they are hashed which is a huge difference.

It is not possible to reverse a hash function by definition.
For further information see the Hash Wikipedia entry.

Which hash function is used, depends on your system configuration. MD5 and blowfish are common examples for used hash functions.

So the "real" password of a user is never stored on the system.

If you login, the string you enter as the password will be hashed and checked against your /etc/shadow file. If it matches, you obviously entered the correct password.

Anyway there are still some attack vectors against the password hashes. You could keep a dictionary of popular passwords and try them automatically. There are a lot of dictionaries available on the internet. Another approach would be to just try out all possible combinations of characters which will consume a huge amount of time. This is known as bruteforce attack.

Rainbowtables are another nice attack vector against hashes. The idea behind this concept, is to simply pre calculate all possible hashes and then just lookup a hash in the tables to find the corresponding password. There are several distributed computing projects to create such tables, the size differs on the characters used and is mostly several TB.

To minimize the risk of such lookup tables its a common practice and the default behaviour in Unix/Linux to add a so called "salt" to the password hash. You hash your password, add a random salt value to the hash and hash this new string again. You need to save the new hash and the salt to be able to check if a entered value is the correct password. The huge advantage of this method is, that you would have to create new lookup tables for each unique salt.

A popular tool to execute dictionary or brute force attacks against user passwords of different operating systems is John The Ripper (or JTR).
See the project homepage for more details:

John the Ripper is a fast password
cracker, currently available for many
flavors of Unix, Windows, DOS, BeOS,
and OpenVMS. Its primary purpose is to
detect weak Unix passwords.

Is there any animation tutorials available for explain about those things ?
–
KumarSep 24 '10 at 4:42

2

Which things? I don't know any, but IMHO the linked resources explain the topics clear enough and I'm sure you will find much more information if you put a little effort in searching/reading.
–
echoxSep 24 '10 at 7:19

One-Way encrypted means that you don't store the password but just its hash value. And the special property of the hash is that you cannot recreate the password from it. Think of it like only storing a number like the amount of letters. If i store a "5", I can then quickly check whether the word "Kumar" can be the password. But from "5" I cannot calculate back to "Kumar" (simplified example, the hash is more complex and collisions are way less common (if not rare) with modern hashing algorithms)
–
tanteSep 23 '10 at 11:51

You can only decrypt the shadow file by brute force: It includes hashes of the passwords, so your only chance is to guess passwords, calculate the hash and look if the hashes are identical. See wikipedia for details about the hash generation.

Passwords are encrypted using an algorithm that will take a password and create a hash that is unique to that password. This hash is stored in the /etc/shadow file. It is not possible to recover the password from the hash. The only methods of recovering a password is to either brute force the entire keyspace or to use some sort of dictionary attack. Early hash functions used the DES standard. The increase in computing power has made it possible to brute force the DES keyspace in a reasonable time. Modern hash functions used to encrypt passwords include MD5, SHA etc. More information on the crypt(3) library can be found here.